    ####    Security Headers
    ## [WARNING] Strict-Transport-Security will stop HTTP access for specified time.
    add_header Strict-Transport-Security "max-age=63072000";
    ## [WARNING] X-Frame-Options DENY will break iframed sites.
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;


    ## [OPTION] Server Name
    ## Commented out, and will be put in each site conf, to allow the rest to work for any subdomain
    ssl_certificate /etc/letsencrypt/live/demu.red/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/demu.red/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/demu.red/fullchain.pem;


    #### SSL Stapling
    ## [WARNING] Requires a valid `ssl_trusted_certificate`
    ssl_stapling on;
    ssl_stapling_verify on;
    ## Google DNS, Open DNS, Dyn DNS.
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
    resolver_timeout 3s;


    ####    Session Tickets
    ssl_session_tickets on;
    ssl_session_timeout 24h;

    ## [WARNING] Session Cache must be the same size in all `server` blocks.
    ssl_session_cache shared:SSL:100m;

    ## [WARNING] Session Ticket Key must have been generated.
    ## $(openssl rand 48 > ticket.key)
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key;


    ####    Diffie-Helman Parameters
    ## [WARNING] Diffie-Helman Parameters must have been generated.
    ## $(openssl dhparam -out dhparam.pem 4096)
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;


    ####    ECDH Curve
    ## [OPTION] Select your preferred curve.

    ## Option 1. [DEFAULT] Typically sufficient.
    ssl_ecdh_curve secp384r1;

    ## Option 2. [WARNING] Slower and breaks some IE on mobiles.
    ## Slightly better with a larger generation.
    #ssl_ecdh_curve secp521r1;


    ####    Preference & Protocols
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


    ####    Cipher List
    ## [OPTION] Pick on Cipher List from Below.
    ## [WARNING] Breaks some browsers on some settings.
    ## Option 1. Super-modern, probably not suitable for production, very secure.
    ## Option 2. [DEFAULT] Modern, no XP, secure.
    ## Option 3. Intermediate, no IE <= 6, less secure.

    ## Cipher List
    ## https://cipherli.st
    ## Grade A  (A+ with HSTS at >= 6 Months)
    ## 100 % Security
    ## Low Compatibility
    ## - No Android 2
    ## - No Java
    ## - No IE < 11
    ## Robust Forward Secrecy
    #ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    ## [DEFAULT] Mozilla SSL Configuration Generator
    ## https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ## Nginx for Modern Browsers
    ## Grade A (A+ with HSTS at >= 6 Months)
    ## 90 % Security
    ## Medium Compatibility
    ## - No Java 6 (No DH parameters > 1024 bits)
    ## - No IE on XP
    ## Robust Forward Secrecy
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    ## Mozilla SSL Configuration Generator
    ## https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ## Nginx for Intermediate Browsers
    ## Grade A-
    ## 90 % Security
    ## High Compatibility
    ## - No Java 6 (No DH parameters > 1024 bits)
    ## - No IE 6
    ## Some Forward Secrecy
    #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
